Receiving a request from a client to audit your cybersecurity can lead to anxiety. Not only do you want to make sure you’re responding accurately, but you also want to be certain you don’t give too much, or too little, information.
We’re seeing law firms, consulting firms, and associations alike having to respond to questionnaires about their cybersecurity posture, and many are unsure of where to start.
We’re here to make it less stressful by offering these tips:
1 – Pass it to IT.
You might receive the audit within your sales or client service departments, but these are highly technical and will need to go to your IT team for accurate responses. Whether you have an internal team or an outsourced one, they should be able to respond to the audit with the following guidelines in mind.
2 – Keep it literal.
Respond honestly, but at the yes/no level. For example, if an audit asks whether your organization uses multi-factor authentication, you don’t need to send an exhaustive list of every application you use, whether it offers, and how many accounts have MFA enforced. There is also no reason to provide information about a system that is not relevant to that particular client. Your internal HR platform, for example, is likely out of scope for the audit.
3 – It’s OK to say No.
Don’t panic if you find that you must answer “no” to some of the questions. In our experience, auditors will respond to a “no” with “when can it be ‘yes’?” They are trying to determine how seriously you take security, not whether you are perfect out of the gate. If it comes to that, however, be sure that you…
4 – Don’t overcommit.
If you say you anticipate having a certain policy in 6 months, your client will ask for it in 6 months. Only promise what you know for certain you can deliver, and have evidence to back every response. If your accounting team follows a procedure to verify requests for financial transfers, for example, that procedure must be written out somewhere.
If you anticipate a security audit in your future and want to ensure that your security practices are adequate, check out our resources here to make some progress on your own, or reach out to our team for some help!